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PRIVATE RETRIEVAL OF DIGITAL OBJECTS 



Technical Field 

The present invention relates generally to secure and private communications 
enabling retrieval of digital objects from a computerized database. 

Backgroimd Art 

The World Wide Web (WWW) has evolved from a service focused on academic 
areas and offering scientific content into a medium for common users to access 
information of various origins. While surfing the Web, many users are not aware that a 
large nvimber of organizations such as those in the marketing indiastry are gathering 
their private information- This information is supplemented when a user accesses a 
Web site, dicks a Web page, makes an electronic purchase, or downloads a file- From 
all the records and computerized analysis, the information coUector can build a digital 
dossier about the users — what they do, where ihey go, what they read, what they buy, 
etc. 

There has, therefore, been general recognition of the need for privacy protection 
on the Internet. One situation in which privacy is a large concern is when databases 
containing users' personal information are accessed. To illustrate, suppose there is a 
database that maintains groups of digital objects, and a user wishes to retrieve a subset 
of the digital objects. Two desirable constraints on database access are as follows: 
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1) the user can access the data the user wants, without disclosing to the database 
the specific digital objects actually desired; and 

2) the user can not get any additional information from the database without the 
consent of the database. 

The first constraint is referred to as user privacy and the second constraint is referred to 
as database security. 

One example that illustrates these concepts is the task of providing electronic 
newspaper services over the Intemet. A database maintains a collection of digital news 
articles. Assiuning that a subscriber requests n articles, database security requires that 
the subscriber gets only n articles, while user privacy requires that the database cannot 
determine which n specific articles are retrieved by the subscriber. 

The problem of private infoarmation retrieval was reviewed by B. Chor, 
O. Goldreich, E. Kxishilevita, and M. Sudan, 'Private Information Retrieval," Proceedings 
of the 36h Annual Symposium on Foundations of Computer Science, pp, 41-50, 1995. The 
authors were concerned with information-theoretical security and proposed a solution 
using multiple databases. However, the security of this solution relies on the 
assumption that the multiple databases do not commimicate with each other, which is 
not guaranteed to be the case, and is additionally outside of the user's control and 
ability to independently verify. 

Private information retrieval schemes using a single database were later 
proposed in B. Chor and N. Gilboa, "Computational Private Information Retrieval," 
Proceedings of the 29th Annual ACM Symposium on Theory of Computing, pp. 304^313, 1997, 
and Kushilevita and R- Ostrovsky, "Single-Database Computationally Private 
Information Retrieval," Proceedings of the 38th Annual Symposium on Foundation of 
Computer Science, 1997. These solutions are concerned with security based on 
computational assumption theory, and in particular the difficulty of factoring large 
prime numbers, as is done in the well-known RSA encryption scheme. However, the 



jl2 OCT 

3 

computational costs of these solutions are prohibitively large due to their bit-by-bit 
processing approach^ For example, the scheme in the Kushilevita and Ostrovsky 
reference requires a computational cost on the order of 0(N) multiplication modulo a 
1024-bit number just to retrieve 1 bit of information, where N is the number of bits of 
data maintained by the database. 

The requirement of database secvuity in the context of private information 
retrieval was studied in Gertner, Y. Ishai, E. Kushilevita and T. Malkin, 'Protecting 
Data Privacy in Private Information Retrieval Schemes," Proceedings of the 30th ACM 
Annual Symposium on Theory of Computing, 1998. 

All of the proposed solutions to the problem of private information retrieval 
described above employ the bit-by-bit processing approach. Therefore^ they have only 
theoretical values, and are not feasible in practical applications, because of the time that 
would be required to solve each problem. 

Therefore, what is needed is a way of allowing a user to achieve information 
retrieval from a database in an efficient manner while maintaining privacy. 

Disclosure of Invention 

In accordance with the present invention, there is provided a way to allow a user 
(102) to achieve private information retrieval from a database (104) in an efficient 
manner. The database (104) maintains one or more groups (106) of digital objects (202) 
available for users to access. A user (102) can retrieve a subset of digital objects (202) 
from a group (106) of digital objects (202) in the database (104) such that: 

1) the user can access the data (202) the user (102) wants, without disclosing to the 
database (104) the specific digital objects (202) actually desired; and 

2) the user (102) can not access additional information (202) from the database (104) 
without the consent of the database (104). 
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Objects (202) in the database (104) are stored in one or more different groups 
(106). The user (102) identifies some particular objects (202) of interest in the database 
(104), and additionally to which groups (106) those objects (202) belong. The user (102) 
then sends (302) a request to the database (104), specifying only the groups (106) 
containing the desired objects (202), but does not specifically identify the particular 
digital objects (202) desired. At this point, an electronic commerce transaction might 
take place, where the user (102) pays for access to a specified number of digital objects 
(202). The database (104) then encrypts (304) all digital objects (202) in each requested 
group (106) into dphertext (206). In addition, a key (204) for each dphertext (206) is 
encrypted (306). The database (104) then sends back (308) to the user (102) both the 
dphertexts (206) and the assodated encr3rpted keys (208). 

At this point, the database (104) knows only that the user (102) desires one or 
more digital objects (202) from a particular group (106) of digital objects in the database 
(104), but is tinable to determine which particular objects (202) are of interest. 

The user identifies (310) the dphertexts (206) of tiie desired digital objects (202), 
and tiieir assodated keys (208). Next, the user re-encrypts (312) the identified keys 
(208), and returns (314) the re-encrypted keys (506) to the database (104). The database 
decrypts (316) the keys (506) to the extent that it is able — ^i.e., the database (104) reverses 
the encryption it previously applied to those keys (506). However, the database (104) is 
imable to identify which digital objects (202) the keys (506) are assodated with, because 
the keys (512) remain encrypted with the user's encryption scheme. The database (104) 
now sends (318) ttie keys (512) back to the user (102). 

Qnce the user (102) receives the keys (512) back from the database (104), the next 
step is simply to decrypt (320) them using the user's own decryption scheme (604), thus 
revealing the imencrypted keys (204). Finally, the user (102) uses those keys (204) to 
decrypt (322) the appropriate digital object dphertexts (206). 



Since the database (104) is unable to determine which keys (204) it has decrypted, 
user (102) privacy is maintained. And, since the user (102) cannot gain access to any 
key (204) unless the database (104) first decrypts it, the user (102) will not be able to 
access any more objects (202) than are authorized. Thus, both constraints discussed 
above have been satisfied. 

The present invention does not require multiple databases. Processing is digital 
object (202) oriented instead of bit oriented. User (102) privacy is guaranteed without 
any computational constraint and without additional constraints on the "honesty^' of 
the database (104). This means that the user's interest in specific digital objects (202) is 
not disclosed. The security of the database (104) is based on the assumption of the 
intractability of computing discrete logarithms, which forms the basis of many existing 
digital signature schemes and ttie Diffie-Hellman key exdiange protocol. See W. Diffie 
and M. Helhnan, "New directions in crjrptography," IEEE Transactions on Information 
Theory, Vol. IT-22, No. 6, pp. 644-654, November 1976. 

The present invention also provides a balance between user (102) privacy and 
communication cost. Communication cost can be reduced by decreasing the size of a 
digital object group (106), while a large digital object group (106) size gives better user 
(102) privacy protection. 

Brief Description Of The Drawings 

These and other more detailed and specific objects and features of the present 
invention are more fully disclosed in the following specification, reference being had to 
the accompanying drawings, in which: 

Fig, 1 is a block diagram of a data access system between a (102) user and a 
database (104). 
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Fig. 2 is a block diagram of digital objects (202) inside a group (106), and 
corresponding keys (204), dphertexts (206), and key dphertexts (208) associated with 
the digital objects (202). 

Fig- 3 is a flowchart of the operation of the illustrative embodiment of the present 
invention. 

Fig. 4 is a block diagram illustrating tiie enayption of digital objects (202) into 
dphertext (206), and of keys (204) into key dphertexts (208). 

Figs- 5a and 5b are block diagrams illustrating, respectively, the re-encryption of 
a dphertext key (208), and the partial decryption of such a key (208). 

Figs- 6a and 6b are block diagrams illustrating, respectively, the decryption of a 
key (512), and the decryption of a digital object dphertext (206) using a key (204). 

Fig. 7 is a block diagram of an apparatus that is a preferred embodiment of the 
present invention. 

Detailed Description Of The Preferred Embodiments 

A cryptographic system, or cryptosystem, has an encryption key to convert 
plaintext into dphertext and a decryption key to recover the plaintext froin dphertext. 
If the encryption key and the decryption key are identical, the cryptosystem is called a 
symmetric key cryptosystem. If the enayptLpn key and the decryption key are different 
and it is computationally infeasible to determine the decryption key from the 
mathematically-related encryption key, the cryptosystem is called an asymmetric key 
cryptosystem, or a public key cryptosystem. For illustrative purposes, the preferred 
embodiments described here make reference to symmetric key cryptosystems for 
encryption and decryption. It will be apparent to those skilled in the art, however, that 
asymmetric key cryptosystems could also be used. See, for example, A. Menezes, 
P. Oorschot, and S. Vanstone, Handbook of Applied Cryptograph}/, CRC Press, 1996, or C. 
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Kaufman, R. Perlman, and M. Speciner^ Network Security - Private Communication in A 
Public World, FTR Prentice HaU, Englewoor Cliffs, NJ, 1995, 

For purposes of clarity, we use e(k, m) to denote encryption of a digital object m 
with key fc in a symmetric key cryptosystem; and d(k, c) to denote the decryption of a 
dphertext c with key fc in a sjmimetric key cryptosystem. 

Fig. 1 is a model of a data access system between a user 102 and a database 104. 
The s)rstem contains a user 102, and a database 104, The database 104 maintains groups 
106 of digital objects m 202. The user 102 wishes to access digital objects 202 in the 
database 104 by subscribing to the database's service, or by paying the database 104 
with electronic cash, or by other means as required by the database 104. A connection 
108 between the user 102 and the database 104 could be any standard communication 
media, such as the Internet or other wide area network. Further, the database 104 
maintains one or more groups 106 of digital objects m , and the user 102 is interested in 
retrieving digital objects 202 from ttie group of N digital objects {m, i = 1, 2, N} 106 in 
the database 104. In Fig. 1, the illustrated database 104 contains Groups A through G; 
however it will be appreciated that the present invention is applicable to a database 104 
containing any number of groups 106. It should also be noted that the particular 
manner in which the user 102 discovers the desired group 106 is not material to the 
present invention. All that is required is that the user 102, either directly or through the 
use of client software operated by the user 102, be aware of the digital object 202 the 
user wants, and the group 106 in which that object 202 is located. 

Fig- 2 is a block diagram of a group 106 of digital objects 202 contained within the 
database 104. A group 106 contains one or more digital objects 202. The niunber of 
digital objects 202 in a group 106 is determined by the operator/maintainer of the 
database 104, and may be determined by factors not within the scope of the present 
invention. For purposes of the present invention, however, it will be noted from the 
description that decreasing the size of a group 106 reduces communication cost, but also 
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decreases privacy protection for the user 102. Initiailyy encryption is performed upon 
all objects 202 in the group 106, as indicated below- Thus, each digital object 202 in the 
group 106 will have a dphertext 206 and a key 204, and each key 204 will additionally 
have an associated dphertext 208- 

Fig* 3 shows a flowchart of the operation of a preferred embodiment of the 
present invention. The database 104 and user 102 have agreed on some prime number 
p, such that p = vq + 1, where q is a large prime number, for example 160 bits in length, 
and V is a large integer, for example 800 bits in length. The prime number q is chosen 
such that p will be prime as well. When the user 102 wants to retrieve digital objects 
202 from the group 106, the user 102 sends 302 a request and optionally the 
corresponding payment to the database 104. Upon receipt of the request, the database 
104 generates 303 a random ntunber R, 0 < R < p -1, and N keys k^, i = 1, 2, N, for a 
sjnnmetric key crj^ptosystem in a fashion well known in the art. One key k is associated 
with each digital object m. The database then encrypts 304 each digitzd object 202 in 
the group 106 with k^ 204 using the symmetric key cryptosystem to obtain dphertext c^ 
= e(kj, m), i = 1, 2, N 206. Finally, the database 104 encrypts 306 the keys 204 
themselves to obtain Sj = mod p, i = 1, 2, N 208, 

The database 104 next transmits 308 the encrypted objects 206 and keys 208 (q, 
Sj), i = 1, 2, N to the user 102, Assuming that tfie user 102 intends to retrieve n, n < N, 
digital objects n\i, m^, m,^ 202 from the group 106, the user 102 identifies 310 the 
objects 206 and keys 208 desired, and generates 311 n random numbers w^, 0 < w, < p -1, 
and then obtains 312 n re-enoypted keys W. = s..'*' mod p, j = 1, 2, n. The user 102 
sends 314 Wj, j = 1, 2, n and optionally the required payment to the database 104. 
The database 104 computes 316 and sends 318 W. '^'^^-'^ mod p, j = 1, 2> n, back 
to the user 102. 
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The user 102 computes 320 = -''mod p, j = 1, 2, n, and then decrypts 

c^. with using the symmetric key cryptosystem to recover digital objects = d(kj^ c^), 
j = l,2, •.•,n202. 

Fig. 4 is a block diagram that further illustrates the encryption performed on a 
digital object 202 by the database 104. The digital object 202 and its associated key 204 
are provided to the cryptosystem 406, to produce the ciphertext 206, e(k-, m^). Similarly, 
using a prirne niunber p 404, the key 204 and random number R 402, the key 204 itself is 
enaypted into ciphertext 208 via the cryptosystem 406. 

Fig. 5a is a block diagram illustrating the process carried out by the user 102 of 
re-encrypting 312 the key 204. In addition to the key ciphertext 208, a prime number p 
404 and random number w 502 are processed through the encryption algorithm (3^^** 
mod p, as described above) 504 to obtain the re-encrypted key 506- 

Similarly, Fig. 5b illustrates the partial decryption 314 performed by the database 
104 on the re-encrypted key 506. Using the previously-generated random number R 
402 and prime number p 404, the re-encrypted key 506 is then decrypted 314 using the 
decryption algorithm (W: <p-*> mod p) 508 to obtain the partially decrypted key U 
510. 

Fig. 6a illustrates the step of transforming the partially deorj^ted key U 510 into 
the unencrypted key K 204. The partially decrypted key U 510, the random number w 
502, and prime niunber p 404 are input into flie user decryption algorithm (Uj ^^"^"^^tp 
mod p) 602> thus revealing the imencryped key K 204. 

Then, as shown in Fig. 6b, key k 204 and ciphertext c 206 are input into the 
cryptosystem deayption algorithm (dCk^, c^) 604 to obtain the digital object m 202. 

Fig. 7 is a block diagram of an apparatus that is a preferred embodiment of the 
present invention. Note that the apparatus can be implemented either as hardware, 
firmware, or software. The user 102 has a user bus 726 through which each of the user 
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modules communicate. Similarly, the database 104 has a database bus 728. The user 
bus 726 and database bus 728 commimicate via connection 108. The user 102 requests a 
group from the database 104 using the requesting module 714. The user generates 
random munbers using the random number generatirig module 718. Transmissions 
from the database 104 to the user 102 are received by the receiving module 716. I>ata is 
sent from the user 102 to the database 104 via the transmitting module 722, User 102 
encryption is performed by the enaypting module 720, and user 102 decryption by the 
decryption module 724, 

Focusing on the database 104 modules illustrated in Fig. 7, the database 104 
generates random nimibers using the random number generating module 702. 
Transmissions from the user 102 to the database 104 are received by the receiving 
module 710. Transmissions from the database 104 to the user 102 are sent by the 
transmitting module 708. The database 104 also has a key generating module 704 for 
generating keys 204, an encrypting module 706, and a decrypting module 712. 

Security Considerations: 

First, it can be easily seen from this description that the user 102 can obtain the 
desired digital objects m^ 202 by decrypting dphertexts 206 with computes k^ — ^^"^ 
"^^ '^ mod p, j = 1, 2, n. That is, if both the database 104 and user 102 follow the 
protocol, the user 102 gets the desired information. However, imder no circumstances 
is the database 104 able to pinpoint which digital objects 202 are being retrieved by the 
user 102. In order for the database 104 to find out which digital object 202 the user 102 
is interested in retrieving; the database 104 would need to figure out which s^ 208 is 
being used to compute Wj - s^"^ mod p 506 by the user 102. However, the only 
information available to the database 104 is W. - S;.** mod p, 1, 2, n and s^ i = 1, 2, 
N. Since w.'s are randomly chosen and kept secret by the user 102, it is equally likely 
that all s./s 208 are being used ia computing W. = s^.'*' mod p, j = 1, 2, ► . n. Therefore, 
the user's privacy is satisfied without having to rely on any computational assumptions. 
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Next, we consider database 104 security. Without loss of generality, asstune that 
tfie user 102 has paid and retrieved m^, ir^, 20Z The tiser 102 then tries to recover 
m^,, which the user 102 is not authorized to access^ without the database's 104 help. 
This problem is equivalent to, given Sj 208(1), k, 204(1), s^ 208(2), 204(2), and 
s^^ finding such that = l:^^ mod p. One approach to solving this problem is to 
find R 402 from, for example, s^ = k,*^ mod p and then compute k^j = s^/^*^^^ mod p. But 
this is equivalent to solving the discrete logarithm problem, and is therefore not 
feasible. The second approach is to express s.^^ in terms of multiplication or division of 
Sj, s^, s,- Then k^^^ can be found from a corresponding expression in terms of k^, k^, 
kj. However, since k^, kj, kj. and kj^, are all independently and randomly chosen, 
finding the relationship between the ^'s is also not computationally feasible. 

Finally, digital objects 202 are enaypted with a symmetric key cryptosystem and 
the encryption keys 204 are protected using large exponentiations. To recover the 
digital objects 202 firom the ciphertexts 206, an eavesdropper must be able to break the 
symmetric key cryptosystem or solve the discrete logarithm problem. Both are 
computationally infeasible for well-designed ciphers and e3q>onentiations with large 
prime modulus. 

The above description is included to illustrate the operation of the preferred 
embodiments and is not meant to limit the scope of the invention. The scope of the 
invention is to be limited only by the following claims. From the above discussion, 
many variations will be apparent to one skilled in the art that would yet be 
encompassed by tiie spirit and scope of the present invention. 
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. ClaiiYis 

1. A method for retrieving digital objects from a group of digital objects 
maintained by a database, the group of digital objects being represented by the equation 
G " {n\, i = l,2, N), wherein G represents the group of digital objects, N represents 
the number of digital objects maintained by the database, i represents an index having 
allowable values between 1 and N inclusive, and m, represents an i* digital object 
within the group of digital objects^ the method comprising: 

generating a random number R and keys k^, i having allowable values between 1 

and N inclusive, for a symmetric key cryptosystem; 
determining a prime number p; 

encrjrpting digital object m, with key k^ using the symmetric key cryptosystem to 

obtain dphertext c^; 
assigning a value of k^*^ mod p to a key dphertext 

responsive to the database receiving a request signal from a user, sending and 
Sj to the user; 

receiving from the user a number n of input signals such that n is less tiian N, 

and j is an index having allowable values between 1 and n inclusive; 
computing changed dphertext JJ^ such ttiat is equal to w.'"^"^ mod p; and 
sending to the user. 



2- The method of daim 1, where the modulo operations may be carried out 
any group in which a discrete logarithm is infeasible to compute. 
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3. A method for a user to privately retrieve digital objects from a group of 
digital objects G = { m^, i=l,2, N) maintained by a database, the method comprising 
the steps of: 

sending a request signal to the database; 

receiving reply signals q, Sj, 1 - 1, 2, N from the database; 

generating random numbers computing and sending = mod p, j = 1, 2, 

n to ttie database; 
receiving signals } = 1,2, n from the database; 
computing = uji/-J««i(p-o p, j = 1, 2, n; and 

decrypting c^ with and a symmetric key oyptosj^tem to recover digital objects 
m^, j = 1,2, n. 

4. The method of claim 3, wherein the modulo operations may be carried out 
in any group in which a discrete logarithm is infeasible to compute. 

5. A metfiod for selectively retrieving digital objects from a database of 
digital objects using a symmetric key cryptosystem, tfie method comprising: 

for each digital object in the database: 

generating a unique key for the symmetric key cryptosystem; 

associating the key with the digital object; 

encrypting the digital object using the associated key and the 

symmetric key cryptosystem to produce a dphertext of the 

digital object; 

encrypting the associated key to obtain a dphertext of the key; 
transmitting the dphertext of the digital object and the dphertext of 
the key assodated with the digital object to a user; 
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receiving at least one changed dphertext of the keys associated with the digital 

objects in the database; 
decrypting each received changed dphertext; and 
transmitting the decrypted received changed dphertexts. 

6. A method for retrieving digital objects from a group of digital objects 
maintained by a database^, the method comprising the steps of: 

selectively requesting a plurality of digital objects from the database; 
receiving encrypted dphertext digital objects from the database; 
receiving from the database enoypted dphertext keys assodated with the 

received dphertext digital objects; 
encrypting at least one of the enaypted dphertext key^ to obtain changed 

dphertext heys; 
sending the dianged dphertext keys to the database; 

receiving partially decrypted changed dphertext keys from the database; 
decrypting the partially decrypted changed dphertext keys; and 
decrypting at least one of the received dphertext digital objects using the 
decrypted keys. 

7, An apparatus comprising: 

a computerized database; 

coupled to tfie database, a computer user; 

coupled to the database, a transmitting module for tremsmitting data to the user; 
coupled to the database, a receiving module for receiving data from the user; 
coupled to the database, a random nxunber generating module for generating 
random numbers; 
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coupled to the database, a computer user; 

coupled to the database, a transmitting module for transmitting digital 
obiects to the user; 

coupfed to the database, a receiving module for receiving digital 
objects from the user; 

coupled to the database, a random number generating module for 
generating random numbers; 

coupled to the database, a key generating module for generating 
cryptographic keys; 

coupled to the database, an encrypting module for encrypting digital 

obiects; 

coupled to the database, a decrypting module for decrypting digital 
pbiecte; 

coupled to the user, a requesting module for requesting digital objects 
from the database; 

coupled to the user, a transmitting module, for transmitting digital 
obiects to the database; 

coupled to the user, a receiving module, for receiving digital objects 
from the database; 

coupled to the user, a random number generating module for generating 
random numbers; 

coupled to the user, an encrypting module for encrypting digital object^ 

and 

coupfed to the user, a decrypting module for decrypting digital objects^ 
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8. A computer program product stored on a computer readable medium 
for retrieving digital objects from a group of digital objects maintained by a 
database, the computer program product controlling a processor coupled to the 
medium to perform the operations of: 

for each digital object in the database: 

generating a unique key for a symmetric key cryptosystem; 

associating the key with the digital object; encrypting the digital object using 
the associated key and the symmetric key cryptosystem to produce a ciphertext of 
the digital object; 

encrypting the associated key to obtain a ciphertext of the key; 

transmitting to a user the ciphertext of the digital object and the ciphertext of 
the key associated with the digital object to a user 

receiving at least one changed ciphertext of the keys associated with the 
digital objects in the database; 

decrypting each received changed ciphertext; and 

transmitting to the user the decrypted received changed ciphertexts. 
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Abstract of the Disclosure 

PRIVATE RETRIEVAL OF DIGITAL OBJECTS 

A database (104) maintains one or more groups (106) of digital objects (202). A 
user (102) wishes to retrieve one or more digital objects (202) from the database (104)^ 
without the database (104) being able to determine which particular digital objects (202) 
have been retrieved. In addition, the database (104) should not allow the user (102) to 
retrieve any digital objects (202) to which the user (102) has not been granted access. 
The user (102) requests the groups (106) containing the digital objects (202) the user 
(102) wishes to download, but does not identify the digital objects (202) within each 
group (106) that the user (102) is interested in. Using a synunetric key cryptosystem, 
the database (104) generates a key (204) for and encrypts each digital object (202) in the 
requested group (106) into dphertext (206), and additionally encrypts each key (204). 
The database (104) transmits the dphertexts (206) and encrypted keys (208) to the user 
(102). The user (102) identifies the keys (208) associated with the digital objects (202) of 
interest and further encrypts the kej^ (208), returning the changed keys (506) to the 
database (104). The database (104) reverses its encryption of the keys (506), and 
transmits the partially decrypted keys (510) back to the user (102). The user (102) then 
applies the user's (102) own decryption algorithm to the keys (510), and then uses tt\e 
decrypted keys (204) to decrypt the digital objects (202) of interest. 
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